Zope.org DNS ( was Re: http://namespaces.zope.org/zope )

On 9/26/06, Jens Vagelpohl <jens [at] dataflake> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 26 Sep 2006, at 14:40, Martijn Faassen wrote: > > We're currently investigating mechanisms by which we (as the > > community) can manage the nameserver for zope.org - a requirement > > to bring namespaces.zope.org into being. We're also trying to > > figure out what could be listening on the other end. > > If DNS is a bottleneck I volunteer to host the zope.org zone on my > colocated servers (ns1.dataflake.org as primary, ns1.zetwork.com as > secondary). The data center they are in (in Richmond/VA) has > redundant internet connectivity and a sterling uptime record for > their network. >

We should totally figure out a solution for this. I also have resources available to host DNS.

I am a volunteer for the Association for Computing Machinery, and we are beginning to use Zope and Plone pretty significantly. Perhaps we wouldn't mind owning this zone. We currently have no DNS management tool, but I have the source code to an old one laying around I could ressurect, ugly as it may be.

One reason I like the idea of the ACM hosting this zone is that we are probably going to stick around, so Zope.org won't be likely to fall by the wayside. Perhaps we could devise a system whereby several organizations provide NS records for zope.org and replicate, either via AXFR or otherwise.

On 26 Sep 2006, at 16:56, Justizin wrote: > One reason I like the idea of the ACM hosting this zone is that we are > probably going to stick around, so Zope.org won't be likely to fall by > the wayside.

Umh, thanks for implying that others (like me) won't be around and would leave zope.org in the lurch...

We can use someone like zoneedit.com for the primary, and then have a bunch of secondaries.....I'm sure there's lots of us who could do secondary dns for this. I've used zoneedit for several years now - flawlessly. First 5 domains are free - so that shouldn't be a problem.

Andrew

On 9/26/06 10:56 AM, "Justizin" <justizin [at] siggraph> wrote:

> On 9/26/06, Jens Vagelpohl <jens [at] dataflake> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> On 26 Sep 2006, at 14:40, Martijn Faassen wrote: >>> We're currently investigating mechanisms by which we (as the >>> community) can manage the nameserver for zope.org - a requirement >>> to bring namespaces.zope.org into being. We're also trying to >>> figure out what could be listening on the other end. >> >> If DNS is a bottleneck I volunteer to host the zope.org zone on my >> colocated servers (ns1.dataflake.org as primary, ns1.zetwork.com as >> secondary). The data center they are in (in Richmond/VA) has >> redundant internet connectivity and a sterling uptime record for >> their network. >> > > We should totally figure out a solution for this. I also have > resources available to host DNS. > > I am a volunteer for the Association for Computing Machinery, and we > are beginning to use Zope and Plone pretty significantly. Perhaps we > wouldn't mind owning this zone. We currently have no DNS management > tool, but I have the source code to an old one laying around I could > ressurect, ugly as it may be. > > One reason I like the idea of the ACM hosting this zone is that we are > probably going to stick around, so Zope.org won't be likely to fall by > the wayside. Perhaps we could devise a system whereby several > organizations provide NS records for zope.org and replicate, either > via AXFR or otherwise.

> We can use someone like zoneedit.com for the primary, and then have > a bunch > of secondaries.....I'm sure there's lots of us who could do > secondary dns > for this. I've used zoneedit for several years now - flawlessly. > First 5 > domains are free - so that shouldn't be a problem.

Hey Andrew, learn bottom-posting please!

I haven't worked with zoneedit, but would volunteer a secondary DNS setup on one of my boxes.

DNS changes should be very tightly regulated and the group of people who can make them should be very small since DNS is a very important wheel in the machinery which can break all other services if not handled correctly. I don't think it is important to have some "newbie- friendly" tool.

ZoneEdit has a very ugly site, but technically I haven't had one single problem with them during four years of usage.

> I don't think it is important to have some "newbie- > friendly" tool.

ZoneEdit isn't especially designed to be newbie-friendly. It is, compared to hand-editing text-files, but that's probably more as a side-effect of the fact that you configure things with forms that for example add both forward and reverse dns automatically and stuff.

ZoneEdit is an option that should be considered. I'm not enough if a DNS-guru to say if it's a better or worse option than other options, but it does work very well.

> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 26 Sep 2006, at 17:02, Andrew Sawyers wrote: > >> We can use someone like zoneedit.com for the primary, and then have >> a bunch >> of secondaries.....I'm sure there's lots of us who could do >> secondary dns >> for this. I've used zoneedit for several years now - flawlessly. >> First 5 >> domains are free - so that shouldn't be a problem. > > Hey Andrew, learn bottom-posting please! > > I haven't worked with zoneedit, but would volunteer a secondary DNS > setup on one of my boxes. > > DNS changes should be very tightly regulated and the group of people > who can make them should be very small since DNS is a very important > wheel in the machinery which can break all other services if not > handled correctly. I don't think it is important to have some "newbie- > friendly" tool. > > jens > This has nothing to do with a newbie friendly tool - but a third party to be the primary, so that a single person isn't the 'owner' of this - so those with appropriate access can manage this. I'm sure all of us on the list understand the importance of DNS and it's reliability. Since it's free and been around for years, I thought it was worthy of looking at for the group.

> This has nothing to do with a newbie friendly tool - but a third party to be > the primary, so that a single person isn't the 'owner' of this - so those > with appropriate access can manage this. I'm sure all of us on the list > understand the importance of DNS and it's reliability. Since it's free and > been around for years, I thought it was worthy of looking at for the group.

Come to think of it, we are actually using http://dnsmadeeasy.com/ for the ACM. It isn't that we can't run a BIND or djbdns server, we are responsible for over fifty machines, but yanno, it's just easier.

A provider who focuses on DNS can make sure there is uber redundancy, and can, as mentioned, keep a single point of failure from affecting the zone's future edit-ability.

I definitely agree that it should be more difficult to get admin for Zope.org DNS than to get a Zope.org account for publishing content / filing bugs. ;)

On 26 Sep 2006, at 17:21, Andrew Sawyers wrote: >> DNS changes should be very tightly regulated and the group of people >> who can make them should be very small since DNS is a very important >> wheel in the machinery which can break all other services if not >> handled correctly. I don't think it is important to have some >> "newbie- >> friendly" tool. >> >> jens >> > This has nothing to do with a newbie friendly tool - but a third > party to be > the primary, so that a single person isn't the 'owner' of this - so > those > with appropriate access can manage this. I'm sure all of us on the > list > understand the importance of DNS and it's reliability. Since it's > free and > been around for years, I thought it was worthy of looking at for > the group.

Yeah, definitely. And if we go with that tool I volunteer to be hooked up as a secondary.

>> Yeah, definitely. And if we go with that tool I volunteer to be >> hooked up as a secondary. > As do I .....

All this DNS volunteering is great! Unfortunately, I'm a bit at a loss on how to proceed, as I'm not very familiar with DNS issues.

So, what I need:

* a single contact person for DNS issues that I can contact whenever something DNS related is needed, can advise me on these issues should I have questions, and who will arrange DNS matters among the three of you. I propose it's one of you three (Justizin, Jens, Andrew). Anyone volunteering for that?

* A plan of action worked out between the three of you. I basically need to know what needs to be done bureaucratically from the side of Zope Corporation and the Foundation to get this arranged. I'll leave the actual work to you all - I intend to only be there when stuff needs to be expedited somehow.

> I believe a single DNS query over UDP can handle around 20-25 entries, > depending on their size. > > Should be no problem for an 'NS' query for zope.org to point at ten or > more hosts which run slave. > > The question is, does this tool allow that? I imagine so. I know > that we set up a local slave in the convention center for SIGGRAPH in > Boston this year from our cheapo DNS provider.

I'm not sure what you're trying to explain or ask here. Do you think there would be any problem in propagating updates? Well, there won't. And I don't see any need for more than 3 DNS servers (including the master). DNS is not resource-intensive in any way.

> Andrew Sawyers wrote: > >>> Yeah, definitely. And if we go with that tool I volunteer to be >>> hooked up as a secondary. > >> As do I ..... > > All this DNS volunteering is great! Unfortunately, I'm a bit at a > loss on how to proceed, as I'm not very familiar with DNS issues.

The way it works is this:

- - the owner/admin for the domain changes the domain name servers assigned for this domain through the registrar that holds the domain. This can normally be done using a web interface at the registrar. Someone at ZC must do this, and he needs a IP/hostname for the primary DNS server and IPs/hostnames for secondaries

- - The zone data is pulled from the old servers and entered into the new primary. This zone data must reflect the new DNS primary/ secondaries. Whenever the primary is updated, it will contact all the secondaries it knows about automatically and ask them to reload the data.

- - The secondaries need to have their configuration changed so that they know they are secondaries for zope.org. They also need to know the IP of the primary. They will then automatically fetch zone data from the primary.

On 9/26/06, Jens Vagelpohl <jens [at] dataflake> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > I believe a single DNS query over UDP can handle around 20-25 entries, > > depending on their size. > > > > Should be no problem for an 'NS' query for zope.org to point at ten or > > more hosts which run slave. > > > > The question is, does this tool allow that? I imagine so. I know > > that we set up a local slave in the convention center for SIGGRAPH in > > Boston this year from our cheapo DNS provider. > > I'm not sure what you're trying to explain or ask here. Do you think > there would be any problem in propagating updates? Well, there won't. > And I don't see any need for more than 3 DNS servers (including the > master). DNS is not resource-intensive in any way. >

Well, since I don't know about the suggested provider, here's my concern - let's say I manage your DNS on my servers, and you want to provide your own local servers. How do you get a copy of the latest zone? Your IP must be listed in my server so that it is allowd to perform AXFR queries.

All I'm saying is, I assume, hopefully, that this provider will allow us to specify hosts which are allowed to perform AXFR.

They will also probably provide us with 3-4 hosts which we can use for DNS. If You, me, and one other person each contribute two IP addresses on different network, that puts the zope.org zone in pretty good shape, because various caching nameservers will handle the trouble of determining which authoritative record is best for them to use.

DNS may seem like a low-load service, but if you were to run a DNS provider yourself on a single machine, I challenge you to maintain 90% uptime. The last time I worked on a large DNS implementation we had twelve machines in each of two geographic locations - dual xeon machines with lots of RAM that did nothing but handle round-robin DNS queries.

IIRC, we had about 100,000 zones, but still, let's think about this for a moment. Imagine:

* I have www.stupidwebsiteforjerks.com * Someone hates my stupid website, because it's for jerks * My DNS records are in the same server as yours * Someone decides to launch an 8MB/s or so DDoS against my NS records and my webserver IP. * Your site starts failing to load for 30-60% of visitors after a few hours.

On 9/26/06, Martijn Faassen <faassen [at] infrae> wrote: > Andrew Sawyers wrote: > > >> Yeah, definitely. And if we go with that tool I volunteer to be > >> hooked up as a secondary. > > > As do I ..... > > All this DNS volunteering is great! Unfortunately, I'm a bit at a loss > on how to proceed, as I'm not very familiar with DNS issues. > > So, what I need: > > * a single contact person for DNS issues that I can contact whenever > something DNS related is needed, can advise me on these issues should I > have questions, and who will arrange DNS matters among the three of you. > I propose it's one of you three (Justizin, Jens, Andrew). Anyone > volunteering for that?

I'm glad to be the lead, and I'm glad for either of the other guys to be the lead. ;d

Whoever you decide to nag, I think the three of us can hammer this out.

> * A plan of action worked out between the three of you. I basically need > to know what needs to be done bureaucratically from the side of Zope > Corporation and the Foundation to get this arranged. I'll leave the > actual work to you all - I intend to only be there when stuff needs to > be expedited somehow.

Okay. We will need:

* A copy of the existing zope.org zone files * Cooperation from rob [at] zope to change the NS record pointers * A list of people who need access in ZoneEdit

On 26 Sep 2006, at 17:48, Justizin wrote: > Well, since I don't know about the suggested provider, here's my > concern - let's say I manage your DNS on my servers, and you want to > provide your own local servers. How do you get a copy of the latest > zone? Your IP must be listed in my server so that it is allowd to > perform AXFR queries.

Do you know how DNS works? Slaves don't just ask for a transfer willy- nilly. Slaves are known to the primary and they get told when to ask.

> They will also probably provide us with 3-4 hosts which we can use for > DNS. If You, me, and one other person each contribute two IP > addresses on different network, that puts the zope.org zone in pretty > good shape, because various caching nameservers will handle the > trouble of determining which authoritative record is best for them to > use. > > DNS may seem like a low-load service, but if you were to run a DNS > provider yourself on a single machine, I challenge you to maintain 90% > uptime. The last time I worked on a large DNS implementation we had > twelve machines in each of two geographic locations - dual xeon > machines with lots of RAM that did nothing but handle round-robin DNS > queries.

I have no idea what you are talking about. This is not some huge DNS service that we need. We need to serve exactly one zone. This can be done from a Palm Pilot, to be honest. I have run DNS services for years and years and don't share any of your doubts.

On 9/26/06, Jens Vagelpohl <jens [at] dataflake> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 26 Sep 2006, at 17:48, Justizin wrote: > > Well, since I don't know about the suggested provider, here's my > > concern - let's say I manage your DNS on my servers, and you want to > > provide your own local servers. How do you get a copy of the latest > > zone? Your IP must be listed in my server so that it is allowd to > > perform AXFR queries. > > Do you know how DNS works? Slaves don't just ask for a transfer willy- > nilly. Slaves are known to the primary and they get told when to ask. >

I'm not sure this is correct. We should investigate before insulting each other's intelligence.

I know a great deal about how DNS works, thank you very much. ;)

> > > They will also probably provide us with 3-4 hosts which we can use for > > DNS. If You, me, and one other person each contribute two IP > > addresses on different network, that puts the zope.org zone in pretty > > good shape, because various caching nameservers will handle the > > trouble of determining which authoritative record is best for them to > > use. > > > > DNS may seem like a low-load service, but if you were to run a DNS > > provider yourself on a single machine, I challenge you to maintain 90% > > uptime. The last time I worked on a large DNS implementation we had > > twelve machines in each of two geographic locations - dual xeon > > machines with lots of RAM that did nothing but handle round-robin DNS > > queries. > > I have no idea what you are talking about. This is not some huge DNS > service that we need. We need to serve exactly one zone. This can be > done from a Palm Pilot, to be honest. I have run DNS services for > years and years and don't share any of your doubts. >

Okay, let's please not make this an argument.

*we* do not have large-scale DNS needs.

However, if we use someone like ZoneEdit.com, their nameservers are highly loaded. So, as I said, if someone decides to launch a DNS attack on ns1.zoneedit.com or whatever, it can affect the availability of zope.org, unless there are alternates, which is what we all propose.

It's a sad logical fallacy for you to state that because you have never seen this problem, it does not exist. I spent nearly three years as an engineer at one of the world's largest provider of managed internet services, and I can tell you that NS.RACKSPACE.COM and NS2.RACKSPACE.COM are hit multiple times a year by 8MB/s or greater DDoS attack.

This was in a datacenter with 9GB/s of bandwidth via multiple OC-48 connections.

On 26 Sep 2006, at 18:00, Justizin wrote: >> Do you know how DNS works? Slaves don't just ask for a transfer >> willy- >> nilly. Slaves are known to the primary and they get told when to ask. >> > > I'm not sure this is correct. We should investigate before insulting > each other's intelligence.

This is exactly how it has correctly worked for me for years working with bind-based nameservers. You can always set up "rogue" secondaries that purport to serve zope.org, which then would have to be allowed to manually pull zone data, but what would be the point of that..?

> It's a sad logical fallacy for you to state that because you have > never seen this problem, it does not exist. I spent nearly three > years as an engineer at one of the world's largest provider of managed > internet services, and I can tell you that NS.RACKSPACE.COM and > NS2.RACKSPACE.COM are hit multiple times a year by 8MB/s or greater > DDoS attack. > > This was in a datacenter with 9GB/s of bandwidth via multiple OC-48 > connections.

Sorry, I don't buy your argument. First of all, big companies like Rackspace will always be an attractive target. We're talking about one piddling open source project here. Secondly, you're omitting the need for economy/sanity. Rackspace has a strong economical need to be up 24/7. Yes, you could put 20 secondaries into the zope.org DNS structure, but what is the point? You will never need that capacity in your life. 3 total is plenty. With 20 secondaries you also have 20 cats to herd, meaning 20 people who own and manage those secondaries.

On 9/26/06, Jens Vagelpohl <jens [at] dataflake> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 26 Sep 2006, at 18:00, Justizin wrote: > >> Do you know how DNS works? Slaves don't just ask for a transfer > >> willy- > >> nilly. Slaves are known to the primary and they get told when to ask. > >> > > > > I'm not sure this is correct. We should investigate before insulting > > each other's intelligence. > > This is exactly how it has correctly worked for me for years working > with bind-based nameservers. You can always set up "rogue" > secondaries that purport to serve zope.org, which then would have to > be allowed to manually pull zone data, but what would be the point of > that..? >

Okay, that's not what I'm suggesting. Whether you run it by hand or not, with BIND, you would use named-xfer, which executes an AXFR request.

So, if the master has to know about the slaves to *tell* them to grab the zone, then it knows about them to *allow* an AXFR, no?

Why are we arguing this? It's pretty clear at this point that ZoneEdit can handle this need. I wasn't familiar with it off-hand.

What I *do* know is that I can't pull an AXFR query of google.com and get the entire Zone, not from my local machine, which is not an approved DNS slave.

> > > It's a sad logical fallacy for you to state that because you have > > never seen this problem, it does not exist. I spent nearly three > > years as an engineer at one of the world's largest provider of managed > > internet services, and I can tell you that NS.RACKSPACE.COM and > > NS2.RACKSPACE.COM are hit multiple times a year by 8MB/s or greater > > DDoS attack. > > > > This was in a datacenter with 9GB/s of bandwidth via multiple OC-48 > > connections. > > Sorry, I don't buy your argument. First of all, big companies like > Rackspace will always be an attractive target. We're talking about > one piddling open source project here. Secondly, you're omitting the > need for economy/sanity. Rackspace has a strong economical need to be > up 24/7. Yes, you could put 20 secondaries into the zope.org DNS > structure, but what is the point? You will never need that capacity > in your life. 3 total is plenty. With 20 secondaries you also have 20 > cats to herd, meaning 20 people who own and manage those secondaries. >

(a) ZoneEdit probably has more zones than Rackspace, which is classified in Texas as a Small Business. ZoneEdit is well known enough that a handful of people on this small mailing list know of it. People don't quite always target Rackspace, they often targetted specific Rackspace customers. Someone might target ZoneEdit.

(b) None of this matters because three of us offered to host slaves! Why are you arguing against doing something you volunteered to do?

And why do you think I am trying to "sell" an argument? I'm telling you - it was my job to run a big DNS infrastructure. Judging by "ns12.zoneedit.com" and "ns10.zoneedit.com" which have been allocated to the zope.org zone I set up, ZoneEdit is running a similar magnitude of infrastructure.

On the other side of the coin, btw, if ZoneEdit is small fries in comparison to Rackspace, maybe that's a good reason not to rely on them as the only nameservers for zope.org. If their provider goes out for a few hours, we want zope.org to be available to the world.

I think you are exagerrating the extent to which my suggestion makes this complicated.

My suggestion: "Since several of us volunteer to donate DNS services to zope.org, let's all provide services, as DNS servers are known, from time to time, for various reasons, to go down."

If you disagree with that, then please, by all means, explain why. Otherwise, let go. We're all very smart. Let's make things happen.

> I don't understand what you are debating, really. Could you clarify?

This is about propagating data from the primary DNS server (which would be that service Andrew suggested) to the databases held on the secondary DNS servers. It is a fully automatic process, under normal circumstances.

There's also the question how many secondary servers we need, or how much DNS serving capacity. Most "normal" domains have one primary and one secondary server. I suggest one primary and two secondaries.

On 9/26/06, Jens Vagelpohl <jens [at] dataflake> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 26 Sep 2006, at 18:17, Lennart Regebro wrote: > > > I don't understand what you are debating, really. Could you clarify? > > This is about propagating data from the primary DNS server (which > would be that service Andrew suggested) to the databases held on the > secondary DNS servers. It is a fully automatic process, under normal > circumstances.

Except for initial configuration, which we are working on now. ;)

> There's also the question how many secondary servers we need, or how > much DNS serving capacity. Most "normal" domains have one primary and > one secondary server. I suggest one primary and two secondaries. >

On 26 Sep 2006, at 18:20, Justizin wrote: > (a) ZoneEdit probably has more zones than Rackspace, which is > classified in Texas as a Small Business. ZoneEdit is well known > enough that a handful of people on this small mailing list know of it. > People don't quite always target Rackspace, they often targetted > specific Rackspace customers. Someone might target ZoneEdit.

I meant specifically zope.org as the target for attack, not ZoneEdit. Even if ZoneEdit is targeted, two secondaries is still enough.

> (b) None of this matters because three of us offered to host slaves! > Why are you arguing against doing something you volunteered to do?

I'm not. I'm arguing against the higher number of secondaries that you suggested earlier. Two secondaries is enough.